Highlights from Verizon’s 2022 Data Breach Investigation Report
US cellular provider Verizon has published its 2022 Data Breach Investigation Report (DBIR). The annual report is a good way to see how the data breach landscape is changing—and what threats you should pay the most attention to in the coming months. Here are some highlights from Verizon’s 2022 DBIR:
How bad guys break in
According to Verizon researchers, data breaches in 2022 were the result of four major avenues of attack: credentials, phishing, exploiting vulnerabilities, and botnets. However, these four were not equal. Compromised credentials and phishing attacks were by far the most common causes of data breaches.
The human element
Perhaps the most important finding of the 2022 DBIR was that almost all breaches—a whopping 82% of them—involved a “human element” in some way, shape, or form. In some cases this was simple human error (e.g., misconfigured cloud storage leading to a data breach). In other instances, users fell victim to phishing or social engineering attacks, resulting in breaches.
What threats are trending?
The 2022 DBIR found a significant uptick in ransomware attacks: a 13% increase over the past year. Verizon’s researchers note that this increase is as large as the past five years combined. Worryingly, the bad guys aren’t just going after big organizations. According to Verizon’s research, “The number one action type … for very small businesses are ransomware attacks.”
How to stay safe
Verizon’s 2022 DBIR highlights the data breach threats that companies and individuals are facing. It’s a disturbing report in some ways. But the good news is that we can use this research to figure out what to do in order to stay safe.
As Verizon’s research shows, the “human element” is a nearly universal factor in data breaches. There’s not much you can do to defend against insider threats at tech companies or misconfigured cloud storage, but you can take action against phishing and social engineering.
The best way to protect yourself from these threats is to learn how to spot them—and what steps to take when you do. To this end, you may want to take a phishing awareness quiz or training exercise to see what you know (and what you need to review). You can keep up with new scams and social engineering threats by following a weekly security podcast like The Checklist.
Protect your credentials…
According to the 2022 DBIR, compromised credentials were the largest single source of breaches. You can protect yourself from this threat by taking a couple of simple precautions.
First, start off by using strong, unique passwords for every account. The easiest way to accomplish this is to use a password manager. Let the software do the hard work of creating complex passwords and remembering them for you! Second, sign up for alerts so you will be notified if one of your accounts shows up in a data breach. You can do this at Have I Been Pwned (use the “Notify Me” option).
…and don’t share them
This may seem obvious to some, but we’ll say it for anyone who needs to hear it: Don’t share your credentials with anyone else.
Here’s why: Even if you trust a person on a personal level, you can’t be sure that their system or network is secure. And if you give your credentials to someone with poor security, those credentials are now at risk.
If you do need to grant someone else access to one of your accounts, there are safe alternatives. For example, some accounts let you create guest users with limited permissions so that you can give someone access without giving them your actual password!
Turn on 2FA
Verizon’s research demonstrates that credential theft and phishing are very common sources of compromise. For this reason, it’s prudent to enable two-factor authentication (2FA) on all of your accounts.
When you have 2FA enabled, you’re required to provide two forms of authentication in order to access an account. The first factor is almost always your password. Nowadays, the second factor is most often a code sent to your mobile device. If a bad guy gets your login credentials, they still can’t get into your account—because they don’t have the mobile device that the 2FA code was sent to!
One word of warning: 2FA codes sent by SMS have some security issues. They’re certainly better than no 2FA at all, but if you can use app-based 2FA, you definitely should.
Use malware protection
With ransomware and other types of malware on the rise, it’s a good idea to use an anti-malware app on your system. There are many good options for Windows users (including Microsoft Defender). macOS comes with a bit of built-in protection courtesy of XProtect, but Apple’s native tool has some serious limitations. Mac users who want extra security should consider using a robust and regularly updated third-party tool as well.
How to learn more
Want to read about Verizon’s research on breaches in more depth? Here’s a link to the full version of Verizon’s 2022 DBIR.